Regulatory guidelines on the Qatar Personal Data Protection Law

Qatar was the first country in the Middle East to introduce a national data privacy law. The local data protection authority has recently issued a series of regulatory guidelines that both clarify the existing legislation and introduce new compliance requirements for data controllers. In this article, we provide an overview of the key changes to the data protection regime and some specific considerations for all organisations doing business in Qatar.

Background

Qatar was one of first countries in the Middle East to introduce a standalone data protection law: Law No. 13 of 2016 Concerning Personal Data Protection (the PDPL) was issued more than four years ago. The PDPL incorporated concepts familiar from other international privacy frameworks at the time.

In November 2020, the Compliance and Data Protection Department (CDP) of the Ministry of Transport and Communications issued 14 regulatory guidelines on the PDPL. Notably, the guidelines introduced new concepts that are not expressly addressed in the PDPL. Many of these concepts are aligned with principles in the EU General Data Protection Regulation, which came into force in 2018. These include requirements for controllers to carry out data privacy impact assessments and to maintain records of processing activities.

The guidelines are likely to be a precursor to increased enforcement activity by the CDP. Compliance with these new measures may, depending on their current internal data protection policies and procedures, require substantial effort for organisations doing business in Qatar and failure to do so could lead to fines of up to QAR 5,000,000 (USD 1,370,000).

Key action points

There are currently 14 guidelines covering a range of different privacy compliance issues. The guidelines are intended to clarify obligations under the PDPL and, in many cases, they go further by introducing new requirements.

We set out below the key takeaways that organisations need to consider incorporating into their business practices to ensure continued compliance:

• Third party processors: There are enhanced requirements in the guidelines to carry out due diligence on data processors and put in place adequate contracts to regulate how they process personal data.
• Personal Data Management System: The PDPL introduces the new concept of a Personal Data Management System (PDMS) that must be implemented by organisations to effectively manage the personal data that they process and to report any violations of procedures and controls.
• Privacy notices: The new guidelines are more prescriptive on the information that should be included in a privacy notice, which may require organisations to update existing policies and forms.
• Record of processing activities: Data controllers now need to maintain a record of processing activities (ROPA) and ensure that any departments which process personal data are informed and trained on how to update the ROPA.
• Special nature personal data: Authorisation from the CDP is required to process any data of a “special nature”, which includes data relating to health, religion, criminal convictions and children.
• Data subject requests: Organisations must implement appropriate policies and procedures to enable individuals to exercise their rights, including the right to withdraw consent and to request erasure or correction of personal data. Data controllers have 30 days to respond to such requests.
• Data breach notification: The guidelines clarify that required notifications of data breach incidents (to the CDP and affected individuals) must be made within 72 hours.
• Data Privacy Impact Assessments: The PDPL does not expressly refer to a requirement for controllers to conduct a Data Privacy Impact Assessment (DPIA). However, the guidelines now make it a requirement to conduct a DPIA before undertaking new processing activities, particularly in the case of prospective data exports or the processing of special nature personal data. Organisations could be subject to a fine of QAR 1,000,000 (USD 275,000) for failing to carry out a DPIA.
• Privacy by design and default: Organisations must embed privacy into their processing activities and business practices, from the design stage and throughout their lifecycle. The guidelines include a number of recommendations on how to achieve this.
• Direct marketing: The guidelines clarify that consent for direct marketing communications must be explicit, unambiguous and a clear, affirmative statement. It should also be easy for individuals to withdraw their consent. Previous methods of inferring consent, such as pre-ticked boxes or implied consent, may no longer be considered valid.

Considerations for employers

Since health information is considered special nature personal data and requires permission from the CPD, organisations that process such data (e.g. medical leave, Covid-19 symptoms, vaccination status or sick benefits of employees) will need to submit a Special Nature Personal Data Form with the CDP. Organisations will need to show that they have a permitted reason as well as an “additional condition” to process the personal data. The guidelines state that consent is not advisable as a legal basis for processing for employees, meaning that employers should try to avoid relying on consent when they collect and process personal data of their employees. Organisations should therefore assess their employment contracts and legal grounds for processing employee data.

Employers will also need to conduct DPIAs when processing employees’ personal data as this is considered an example of processing that “may cause serious damage” by the CPD. Employers should undertake DPIAs with respect to their processing of employee data, identifying measures to reduce risk of serious damage and recording their decision-making. 

What next?

Organisations operating in Qatar must now comply with a more detailed and comprehensive regulatory framework. The new guidelines clarify many of the questions that existed under the PDPL.

The release of the CDP guidelines has generated a number of new requirements that will require a fundamental shift in the approach to data protection compliance for many organisations. Multinationals that already comply with global standards will also need to evaluate their data privacy frameworks to ensure local compliance.

The creation of an effective data protection framework requires an enterprise-wide approach that will typically necessitate the involvement of a number of business units, including HR, marketing, sales, customer service and IT. Our recent briefing and video for Data Privacy Day 2021 provided some tips for establishing a privacy framework and our leading Middle East privacy team can support you on the journey to compliance in conjunction with our established on-the-ground presence in Doha.